← BACK TO HOME
Privacy Policy
Last updated: March 2026
Secret Patio Lisbon, Lda. (hereinafter referred to as “the company”, “we” or “us”) takes the protection of your personal data seriously. This Privacy Policy informs you about how your personal data is processed when you visit our website at www.secretpatiolisbon.com and when you book our accommodation services.
1. Controller
The controller for the processing of your personal data within the meaning of Art. 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) is:
Secret Patio Lisbon, Lda.
R. Fernandes Tomás 64
1200-177 Lisboa, Portugal
Phone: +351 937 532 538
Email: hello@secretpatiolisbon.com
2. Data Protection Contact
If you have any questions regarding data protection, you can reach us at: hello@secretpatiolisbon.com
3. Data Processing When Visiting the Website
When you visit our website, we process certain personal data automatically.
3.1 Server Log Files
When you visit our website, our web server temporarily stores the following data in log files:
- The page from which the page was requested (referrer URL)
- The name and URL of the requested page
- The date and time of the request
- The type, language and version of the web browser used
- The IP address of the requesting device (anonymised)
- The amount of data transferred
- The operating system
- Whether the request was successful (HTTP status code)
This data is processed to ensure the stability and security of our website and for statistical purposes. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Log files are stored for a maximum of 30 days and then deleted.
3.2 Cookies
We use cookies to ensure the proper functioning of the website, improve user experience, analyse traffic and, with your consent, deliver personalised content and advertising. Cookies are classified by purpose and provider as described below.
Strictly Necessary Cookies
These cookies are essential for the website to function properly and cannot be disabled.
- atipico_session — Purpose: Maintain user session and ensure secure navigation. Retention: Session. Provider: Secret Patio / Atipico Hotels. Type: First-party
Preference Cookies
These cookies allow the website to remember choices such as language preferences.
- lang — Purpose: Store user language preference. Retention: 12 months. Provider: Secret Patio / Atipico Hotels. Type: First-party
Analytics Cookies
These cookies help us understand how visitors interact with the website.
- _ga (Google Analytics 4) — Purpose: Measure traffic and user behaviour. Retention: Up to 24 months. Provider: Google. Type: Third-party
Advertising and Measurement Cookies
These cookies are used to deliver relevant ads and measure campaign performance.
- _gcl_au — Purpose: Google Ads conversion tracking. Retention: 90 days. Provider: Google. Type: Third-party
- _fbp — Purpose: Meta (Facebook) advertising and remarketing. Retention: 3 months. Provider: Meta. Type: Third-party
- customerio_id — Purpose: Email marketing and automation. Retention: Variable. Provider: Customer.io. Type: Third-party
Functional Cookies
These cookies enable additional website functionality and integrations.
- wf_cookie — Purpose: Website functionality and CMS management. Retention: Variable. Provider: Webflow. Type: Third-party
Any use of cookies beyond what is technically necessary requires your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time by adjusting your browser settings or deleting cookies.
3.3 Google Analytics 4
We use Google Analytics 4 (provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) to analyse and improve our website usage. Google Analytics 4 may use cookies and collects data such as:
- Anonymised IP address
- Pages visited and user interactions
- Session data (duration, scroll behaviour, clicks)
- Device and browser information
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via your browser cookie settings. You can also prevent data collection by installing the Google Analytics Opt-out Browser Add-on.
For more information, see Google's Privacy Policy.
4. Data Processing for Bookings & Contact
4.1 Contact Requests
If you contact us by email, telephone, or via a contact form, the data you provide (e.g. name, email address, message content) will be processed to handle your enquiry. If your enquiry relates to the conclusion or performance of a contract, the legal basis is Art. 6(1)(b) GDPR. Otherwise, Art. 6(1)(f) GDPR (legitimate interest) applies.
Your data will be stored only as long as necessary to fully answer your enquiry, unless longer retention is required by law.
4.2 Booking of Accommodation
When you make a reservation, we collect the following personal data:
- Full name
- Email address
- Phone number
- Postal address
- Identification document details (passport or national ID, as required by Portuguese law)
- Desired accommodation type, check-in and check-out dates
- Payment information
This data is processed for the purpose of fulfilling the accommodation contract. The legal basis is Art. 6(1)(b) GDPR. We are also legally required under Portuguese hospitality regulations (Decreto-Lei n.º 92/2010) to collect guest identification data.
Your booking data is stored for the duration of your stay and thereafter as required by tax and commercial law obligations (typically up to 10 years).
4.3 Booking Engine (Mews)
We use the Mews booking engine (Mews Systems B.V., Colosseum 1, 1213 NL Hilversum, Netherlands) to manage reservations. When you make a booking through our website, your personal and payment data is transmitted to and processed by Mews.
Mews acts as a processor on our behalf in accordance with Art. 28 GDPR. For more information, see Mews' Privacy Policy.
4.4 Payment Processing
Payments are processed through our booking engine provider (Mews) which may use third-party payment processors such as Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin, Ireland). Payment data (card details, transaction amounts) is handled securely by these processors and is not stored on our servers.
The legal basis is Art. 6(1)(b) GDPR (contract performance). For more information, see Stripe's Privacy Policy.
5. Transfer of Personal Data to Third Parties
The following categories of recipients may receive access to your personal data:
- Service providers: for website hosting, booking management, payment processing, advertising, email marketing, and IT security (acting as processors under Art. 28 GDPR). These include Google (Privacy Policy), Meta (Privacy Policy), Customer.io (Privacy Policy), Webflow (Privacy Policy), Mews (Privacy Policy), and Stripe (Privacy Policy)
- Government authorities: where required by law, e.g. Portuguese immigration and tax authorities (Art. 6(1)(c) GDPR)
- Professional advisors: auditors, legal advisors, and insurance providers as necessary for business operations (Art. 6(1)(f) GDPR)
We will only share your personal data with other third parties if you have given your explicit consent pursuant to Art. 6(1)(a) GDPR.
6. Data Retention & Deletion
Your personal data will be deleted or anonymised as soon as the purpose for which it was stored no longer applies, unless retention is required by applicable law (e.g. Portuguese tax law, commercial law). In such cases, data will be blocked from further processing and deleted upon expiry of the statutory retention period.
7. Data Security
We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorised access. These include TLS/SSL encryption for our website and secure data storage practices. Our security measures are continuously improved in line with technological developments.
8. International Data Transfers
Some of our service providers (e.g. Google, Meta, Customer.io, Webflow, Stripe) may transfer personal data to servers outside the European Economic Area (EEA), including the United States. Where such transfers occur, they are safeguarded by appropriate measures such as EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
For more information about the safeguards in place for specific services, please refer to the respective privacy policies linked in the sections above.
9. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at hello@secretpatiolisbon.com:
- Right of access (Art. 15 GDPR): request information about what personal data we process about you
- Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR): request deletion of your data, unless processing is required by law
- Right to restriction of processing (Art. 18 GDPR): request that we limit how we process your data
- Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR): object to processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7(3) GDPR): withdraw any consent you have given at any time, without affecting the lawfulness of processing prior to withdrawal
- Right to lodge a complaint (Art. 77 GDPR): file a complaint with the Portuguese Data Protection Authority (CNPD — Comissão Nacional de Proteção de Dados), Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal, www.cnpd.pt
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or data processing practices. The current version will always be available on this page. We encourage you to review this Privacy Policy periodically.
← Back to Home
Privacy Policy
Last updated: March 2026
Secret Patio Lisbon, Lda. (hereinafter referred to as “the company”, “we” or “us”) takes the protection of your personal data seriously. This Privacy Policy informs you about how your personal data is processed when you visit our website at www.secretpatiolisbon.com and when you book our accommodation services.
1. Controller
The controller for the processing of your personal data within the meaning of Art. 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) is:
Secret Patio Lisbon, Lda.
R. Fernandes Tomás 64
1200-177 Lisboa, Portugal
Phone: +351 937 532 538
Email: hello@secretpatiolisbon.com
2. Data Protection Contact
If you have any questions regarding data protection, you can reach us at: hello@secretpatiolisbon.com
3. Data Processing When Visiting the Website
When you visit our website, we process certain personal data automatically.
3.1 Server Log Files
When you visit our website, our web server temporarily stores the following data in log files:
- The page from which the page was requested (referrer URL)
- The name and URL of the requested page
- The date and time of the request
- The type, language and version of the web browser used
- The IP address of the requesting device (anonymised)
- The amount of data transferred
- The operating system
- Whether the request was successful (HTTP status code)
This data is processed to ensure the stability and security of our website and for statistical purposes. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Log files are stored for a maximum of 30 days and then deleted.
3.2 Cookies
We use cookies to ensure the proper functioning of the website, improve user experience, analyse traffic and, with your consent, deliver personalised content and advertising. Cookies are classified by purpose and provider as described below.
Strictly Necessary Cookies
These cookies are essential for the website to function properly and cannot be disabled.
- atipico_session
Purpose: Maintain user session and ensure secure navigation
Retention: Session
Provider: Secret Patio / Atipico Hotels
Type: First-party
Preference Cookies
These cookies allow the website to remember choices such as language preferences.
- lang
Purpose: Store user language preference
Retention: 12 months
Provider: Secret Patio / Atipico Hotels
Type: First-party
Analytics Cookies
These cookies help us understand how visitors interact with the website.
- _ga (Google Analytics 4)
Purpose: Measure traffic and user behaviour
Retention: Up to 24 months
Provider: Google
Type: Third-party
Advertising and Measurement Cookies
These cookies are used to deliver relevant ads and measure campaign performance.
- _gcl_au
Purpose: Google Ads conversion tracking
Retention: 90 days
Provider: Google
Type: Third-party
- _fbp
Purpose: Meta (Facebook) advertising and remarketing
Retention: 3 months
Provider: Meta
Type: Third-party
- customerio_id
Purpose: Email marketing and automation
Retention: Variable (depending on configuration and user activity)
Provider: Customer.io
Type: Third-party
Functional Cookies
These cookies enable additional website functionality and integrations.
- wf_cookie
Purpose: Website functionality and CMS management
Retention: Variable (depending on configuration)
Provider: Webflow
Type: Third-party
Any use of cookies beyond what is technically necessary requires your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time by adjusting your browser settings or deleting cookies.
3.3 Google Analytics 4
We use Google Analytics 4 (provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) to analyse and improve our website usage. Google Analytics 4 may use cookies and collects data such as:
- Anonymised IP address
- Pages visited and user interactions
- Session data (duration, scroll behaviour, clicks)
- Device and browser information
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via your browser cookie settings. You can also prevent data collection by installing the Google Analytics Opt-out Browser Add-on.
For more information, see Google’s Privacy Policy.
4. Data Processing for Bookings & Contact
4.1 Contact Requests
If you contact us by email, telephone, or via a contact form, the data you provide (e.g. name, email address, message content) will be processed to handle your enquiry. If your enquiry relates to the conclusion or performance of a contract, the legal basis is Art. 6(1)(b) GDPR. Otherwise, Art. 6(1)(f) GDPR (legitimate interest) applies.
Your data will be stored only as long as necessary to fully answer your enquiry, unless longer retention is required by law.
4.2 Booking of Accommodation
When you make a reservation, we collect the following personal data:
- Full name
- Email address
- Phone number
- Postal address
- Identification document details (passport or national ID, as required by Portuguese law)
- Desired accommodation type, check-in and check-out dates
- Payment information
This data is processed for the purpose of fulfilling the accommodation contract. The legal basis is Art. 6(1)(b) GDPR. We are also legally required under Portuguese hospitality regulations (Decreto-Lei n.º 92/2010) to collect guest identification data.
Your booking data is stored for the duration of your stay and thereafter as required by tax and commercial law obligations (typically up to 10 years).
4.3 Booking Engine (Mews)
We use the Mews booking engine (Mews Systems B.V., Colosseum 1, 1213 NL Hilversum, Netherlands) to manage reservations. When you make a booking through our website, your personal and payment data is transmitted to and processed by Mews.
Mews acts as a processor on our behalf in accordance with Art. 28 GDPR. For more information, see Mews’ Privacy Policy.
4.4 Payment Processing
Payments are processed through our booking engine provider (Mews) which may use third-party payment processors such as Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin, Ireland). Payment data (card details, transaction amounts) is handled securely by these processors and is not stored on our servers.
The legal basis is Art. 6(1)(b) GDPR (contract performance). For more information, see Stripe’s Privacy Policy.
5. Transfer of Personal Data to Third Parties
The following categories of recipients may receive access to your personal data:
- Service providers: for website hosting, booking management, payment processing, advertising, email marketing, and IT security (acting as processors under Art. 28 GDPR). These include Google (Privacy Policy), Meta (Privacy Policy), Customer.io (Privacy Policy), Webflow (Privacy Policy), Mews (Privacy Policy), and Stripe (Privacy Policy)
- Government authorities: where required by law, e.g. Portuguese immigration and tax authorities (Art. 6(1)(c) GDPR)
- Professional advisors: auditors, legal advisors, and insurance providers as necessary for business operations (Art. 6(1)(f) GDPR)
We will only share your personal data with other third parties if you have given your explicit consent pursuant to Art. 6(1)(a) GDPR.
6. Data Retention & Deletion
Your personal data will be deleted or anonymised as soon as the purpose for which it was stored no longer applies, unless retention is required by applicable law (e.g. Portuguese tax law, commercial law). In such cases, data will be blocked from further processing and deleted upon expiry of the statutory retention period.
7. Data Security
We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorised access. These include TLS/SSL encryption for our website and secure data storage practices. Our security measures are continuously improved in line with technological developments.
8. International Data Transfers
Some of our service providers (e.g. Google, Meta, Customer.io, Webflow, Stripe) may transfer personal data to servers outside the European Economic Area (EEA), including the United States. Where such transfers occur, they are safeguarded by appropriate measures such as EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
For more information about the safeguards in place for specific services, please refer to the respective privacy policies linked in the sections above.
9. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at hello@secretpatiolisbon.com:
- Right of access (Art. 15 GDPR): request information about what personal data we process about you
- Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR): request deletion of your data, unless processing is required by law
- Right to restriction of processing (Art. 18 GDPR): request that we limit how we process your data
- Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR): object to processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7(3) GDPR): withdraw any consent you have given at any time, without affecting the lawfulness of processing prior to withdrawal
- Right to lodge a complaint (Art. 77 GDPR): file a complaint with the Portuguese Data Protection Authority (CNPD — Comissão Nacional de Proteção de Dados), Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal, www.cnpd.pt
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or data processing practices. The current version will always be available on this page. We encourage you to review this Privacy Policy periodically.
Secret Patio Lisbon, Lda.
R. Fernandes Tomás 64, 1200-177 Lisboa, Portugal
Tel: +351 937 532 538
Email: hello@secretpatiolisbon.com
Website: www.secretpatiolisbon.com